NuSphere MySQL: Free Beer in a Tall Glass - page 2

Integrated web development in a box.

April 16, 2001

By
Scott Courtney

It was very nice, on the other hand, to have the integration between
Perl, MySQL, Apache, PHP, and OpenSSL all handled automatically. There
are quite a few little details that Just Work (tm) with this software,
and what seems to add the final bit of polish are the administrative
tools that at first seemed extraneous to me. NuSphere comes with
Webmin, an HTTP daemon that runs independently of Apache and provides
a (password protected) interface for managing a local or remote Linux
or UNIX system with a web browser. Webmin worked quite well in my
testing once I ran its configuration script from the command line
(from /usr/local/nusphere/webmin) so that it knew I had Caldera Linux
instead of Red Hat. Also included is phpMyAdmin, a very slick front end
to MySQL that allows databases and tables to be created, modified,
renamed, and even populated from a web browser. Personally, I'm
comfortable writing SQL statements directly, but I was impressed with
how easy phpMyAdmin is to use. It's very intuitive, and though
NuSphere didn't write it they were wise to include it on the disk.

Two sample web sites and numerous test scripts are automatically
installed with the NuSphere environment. The test scripts are
primitive but useful confidence tests of the basic installation,
ranging from "Hello, World" and phpinfo() to simple CGI
forms. The sample web sites include a meeting room scheduler (which is
robust enough to use in production for a small company) and a shopping
cart demonstration. The latter is not what I would call production-
ready, but it is a useful demo of the basic technique.

There are also two applications, Bugzilla and IRM, which NuSphere
calls the "professional" apps. Bugzilla is the web-based bug
tracking database used by the Mozilla team, and as such it's pretty
well debugged and tested. IRM is a simple computer inventory database
for asset tracking, somewhat primitive in appearance but with more
depth than first meets the eye (for example, it supports the notion of
scheduling the same upgrade work on multiple computers in a group).

Documentation is part of the value of NuSphere's packaging of
applications that would otherwise be free. The documentation kit has
some minor gaps, but is for the most part quite useful. Most notably,
NuSphere comes with a softbound copy of the MySQL Reference, a
700+ page tome that would be welcome on many desks. Also included --
and useful -- are several of the pocket reference guides from O'Reilly
and Associates. Apache, Perl 5, and PHP are all covered. There is also
a Getting Started guidebook, specifically written for NuSphere.
Alas, while it was mostly accurate and useful, this guidebook needs
some correction in its details. For example, the directory where .rpm
files are said to live is /mnt/cdrom/RPMS according to Getting
Started, but on the disk I was sent it is actually
/mnt/cdrom/Linux/RPMS. This is a small thing to most Linux
administrators, but NuSphere is aimed at least partially toward people
who are moving server environments to Linux or UNIX and who are not
UNIX gurus. The Getting Started guide is fine as far as it
goes, assuming a few technical corrections, but it really should be
supplemented with a more detailed reference covering the interaction
between Linux, Apache, Perl, and MySQL. This reference actually
exists in an online format, but it would have been very helpful to see
a printed copy as well.

SSL credentials are another area where the documentation is weak. To
the company's credit, NuSphere comes out of the box with Secure
Sockets Layer encryption configured and enabled. I had no trouble at
all getting it working. But real SSL is more than just an encrypted
connection -- it also involves two-way authentication of the machines
and people at the end of that connection. NuSphere comes with a
preconfigured, generic SSL certificate, but the documentation on how
to get a real one is buried deep within one of the online
manuals -- it's there, but in my opinion this should be an area that
is thoroughly and visibly documented, and perhaps even more automated.

Secure Sockets Layer uses the concept of a digital
"certificate", issued by a trusted Certificate Authority
(CA), to authenticate machine to machine. The strength of a
certificate lies not in the certificate itself but in the reputation
of the organization that issues or validates that certificate.
NuSphere comes preconfigured with a bogus SSL certificate that works
fine for testing. In order to run a real web site, though, administrators
would need to create a new certificate. Depending on their needs, they can
either have an established CA agree to back their new certificate (a
process known as signing and accomplished with hash codes and public-
key encryption), or they can sign the certificate themselves. The
latter is enough for casual encryption to keep passwords from crossing
the net in cleartext, but it is by no means acceptable for large-scale
e-commerce.

In any case, the process of creating a certificate involves generating
(and securely storing) a private/public key pair and then getting the
public portion of that key (and the link to the applicable CA) into
the user's browser. At runtime, then, the CA can be contacted to say
to the browser, "Yes, the public key you have presented really is
the public key of XYZ company." Instructions for doing most of
this are online in the NuSphere documentation, but I think this should
be made more visible to the user because it is very likely to be
needed by companies interested in e-commerce. This is a small gripe with
documentation that is otherwise pretty good.

I would have liked to see the default security be a little tighter,
with mandatory entry of real passwords by the installer instead of
just assigning defaults and then telling the user to change them.
Hopefully, though, anyone who's building a web e-commerce site will
know the importance of this without being told, whether they use a
tool like NuSphere to save installation time or they do it the old
fashioned way for maximum control. And integrating web configuration
with firewall settings in the administration screens would be a great
enhancement in a future version.